From: Sasha Levin Date: Tue, 14 Jan 2025 01:03:14 +0000 (-0500) Subject: Drop mm-zswap-fix-race-between-de-compression-and-cpu-hot.patch X-Git-Tag: v6.1.125~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a48dcb522e7ae8036229b020110fdded3ed318d8;p=thirdparty%2Fkernel%2Fstable-queue.git Drop mm-zswap-fix-race-between-de-compression-and-cpu-hot.patch Signed-off-by: Sasha Levin --- diff --git a/queue-6.12/mm-zswap-fix-race-between-de-compression-and-cpu-hot.patch b/queue-6.12/mm-zswap-fix-race-between-de-compression-and-cpu-hot.patch deleted file mode 100644 index b494fb0033e..00000000000 --- a/queue-6.12/mm-zswap-fix-race-between-de-compression-and-cpu-hot.patch +++ /dev/null @@ -1,119 +0,0 @@ -From c56e79d453ef5b5fc6ded252bc6ba461f12946ba Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 19 Dec 2024 21:24:37 +0000 -Subject: mm: zswap: fix race between [de]compression and CPU hotunplug - -From: Yosry Ahmed - -[ Upstream commit eaebeb93922ca6ab0dd92027b73d0112701706ef ] - -In zswap_compress() and zswap_decompress(), the per-CPU acomp_ctx of the -current CPU at the beginning of the operation is retrieved and used -throughout. However, since neither preemption nor migration are disabled, -it is possible that the operation continues on a different CPU. - -If the original CPU is hotunplugged while the acomp_ctx is still in use, -we run into a UAF bug as the resources attached to the acomp_ctx are freed -during hotunplug in zswap_cpu_comp_dead(). - -The problem was introduced in commit 1ec3b5fe6eec ("mm/zswap: move to use -crypto_acomp API for hardware acceleration") when the switch to the -crypto_acomp API was made. Prior to that, the per-CPU crypto_comp was -retrieved using get_cpu_ptr() which disables preemption and makes sure the -CPU cannot go away from under us. Preemption cannot be disabled with the -crypto_acomp API as a sleepable context is needed. - -Commit 8ba2f844f050 ("mm/zswap: change per-cpu mutex and buffer to -per-acomp_ctx") increased the UAF surface area by making the per-CPU -buffers dynamic, adding yet another resource that can be freed from under -zswap compression/decompression by CPU hotunplug. - -There are a few ways to fix this: -(a) Add a refcount for acomp_ctx. -(b) Disable migration while using the per-CPU acomp_ctx. -(c) Disable CPU hotunplug while using the per-CPU acomp_ctx by holding -the CPUs read lock. - -Implement (c) since it's simpler than (a), and (b) involves using -migrate_disable() which is apparently undesired (see huge comment in -include/linux/preempt.h). - -Link: https://lkml.kernel.org/r/20241219212437.2714151-1-yosryahmed@google.com -Fixes: 1ec3b5fe6eec ("mm/zswap: move to use crypto_acomp API for hardware acceleration") -Signed-off-by: Yosry Ahmed -Reported-by: Johannes Weiner -Closes: https://lore.kernel.org/lkml/20241113213007.GB1564047@cmpxchg.org/ -Reported-by: Sam Sun -Closes: https://lore.kernel.org/lkml/CAEkJfYMtSdM5HceNsXUDf5haghD5+o2e7Qv4OcuruL4tPg6OaQ@mail.gmail.com/ -Reviewed-by: Chengming Zhou -Acked-by: Barry Song -Reviewed-by: Nhat Pham -Cc: Vitaly Wool -Cc: -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - mm/zswap.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/mm/zswap.c b/mm/zswap.c -index 0030ce8fecfc..c86d4bcbb447 100644 ---- a/mm/zswap.c -+++ b/mm/zswap.c -@@ -875,6 +875,18 @@ static int zswap_cpu_comp_dead(unsigned int cpu, struct hlist_node *node) - return 0; - } - -+/* Prevent CPU hotplug from freeing up the per-CPU acomp_ctx resources */ -+static struct crypto_acomp_ctx *acomp_ctx_get_cpu(struct crypto_acomp_ctx __percpu *acomp_ctx) -+{ -+ cpus_read_lock(); -+ return raw_cpu_ptr(acomp_ctx); -+} -+ -+static void acomp_ctx_put_cpu(void) -+{ -+ cpus_read_unlock(); -+} -+ - static bool zswap_compress(struct folio *folio, struct zswap_entry *entry) - { - struct crypto_acomp_ctx *acomp_ctx; -@@ -887,8 +899,7 @@ static bool zswap_compress(struct folio *folio, struct zswap_entry *entry) - gfp_t gfp; - u8 *dst; - -- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); -- -+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); - mutex_lock(&acomp_ctx->mutex); - - dst = acomp_ctx->buffer; -@@ -944,6 +955,7 @@ static bool zswap_compress(struct folio *folio, struct zswap_entry *entry) - zswap_reject_alloc_fail++; - - mutex_unlock(&acomp_ctx->mutex); -+ acomp_ctx_put_cpu(); - return comp_ret == 0 && alloc_ret == 0; - } - -@@ -954,7 +966,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) - struct crypto_acomp_ctx *acomp_ctx; - u8 *src; - -- acomp_ctx = raw_cpu_ptr(entry->pool->acomp_ctx); -+ acomp_ctx = acomp_ctx_get_cpu(entry->pool->acomp_ctx); - mutex_lock(&acomp_ctx->mutex); - - src = zpool_map_handle(zpool, entry->handle, ZPOOL_MM_RO); -@@ -984,6 +996,7 @@ static void zswap_decompress(struct zswap_entry *entry, struct folio *folio) - - if (src != acomp_ctx->buffer) - zpool_unmap_handle(zpool, entry->handle); -+ acomp_ctx_put_cpu(); - } - - /********************************* --- -2.39.5 - diff --git a/queue-6.12/series b/queue-6.12/series index eb35e25601b..b8ba0a2b936 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -183,5 +183,4 @@ drm-xe-oa-separate-batch-submission-from-waiting-for.patch drm-xe-oa-uapi-define-and-parse-oa-sync-properties.patch drm-xe-oa-add-input-fence-dependencies.patch xe-oa-fix-query-mode-of-operation-for-oar-oac.patch -mm-zswap-fix-race-between-de-compression-and-cpu-hot.patch drm-mediatek-only-touch-disp_reg_ovl_pitch_msb-if-af.patch